CVE-2011-3375 Apache Tomcat Information disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Tomcat 7.0.0 to 7.0.21
- Tomcat 6.0.30 to 6.0.33
- Earlier versions are not affected
Description:
For performance reasons, information parsed from a request is
CVE-2012-0022 Apache Tomcat Denial of Service
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Tomcat 7.0.0 to 7.0.22
- Tomcat 6.0.0 to 6.0.33
- Tomcat 5.5.0 to 5.5.34
- Earlier, unsupported versions may also be affected
Description:
Analysis of the recent hash
It has been a long, long time since the last public release (more than one
year) of the Exploit Next Generation® SQL Fingerprint, but it is back to
the road.
For those that are not familiarized with Exploit Next Generation® SQL
Fingerprint, it is a powerful tool which performs version
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ PHP 5.3.8 Multiple vulnerabilities ]
Author: Maksymilian Arciemowicz
Website: http://cxsecurity.com/
Date: 14.01.2012
CVE:
CVE-2011-4153 (zend_strndup)
Original link:
http://cxsecurity.com/research/103
[--- 1. Multiple NULL Pointer Dereference
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA-2389-1secur...@debian.org
http://www.debian.org/security/ Dann Frazier
January 15, 2012
Title:
==
Tine v2.0 Maischa - Cross Site Scripting Vulnerability
Date:
=
2012-01-13
References:
===
http://www.vulnerability-lab.com/get_content.php?id=379
VL-ID:
=
379
Introduction:
=
Tine 2.0 is an open source project which combines groupware and CRM in
Title:
==
MegaSWF - Persistant Cross Site Scripting Vulnerability
Date:
=
2012-01-12
References:
===
http://www.vulnerability-lab.com/get_content.php?id=368
VL-ID:
=
368
Introduction:
=
Do you create Flash games, Flash animations, or any other type of
Title:
==
Canopus Internet Banking FIVE - Auth Bypass Vulnerability
Date:
=
2012-01-12
References:
===
http://www.vulnerability-lab.com/get_content.php?id=305
VL-ID:
=
305
Introduction:
=
Automation of banks, small and medium sized, money transfer systems,
Title:
==
Zimbra Desktop v7.1.2 - Persistent Software Vulnerability
Date:
=
2012-01-12
References:
===
http://www.vulnerability-lab.com/get_content.php?id=378
VL-ID:
=
378
Introduction:
=
The Zimbra offline client (also Zimbra Desktop) for Microsoft Windows,
Title:
==
DUS INT Airport - Multiple SQL Injection Vulnerabilities
Date:
=
2012-01-11
References:
===
http://www.vulnerability-lab.com/get_content.php?id=173
VL-ID:
=
173
Introduction:
=
Duesseldorf International - Large airports are regional poles for
Title:
==
Barracuda SSL VPN 480 - Multiple Web Vulnerabilities
Date:
=
2012-01-12
References:
===
http://www.vulnerability-lab.com/get_content.php?id=35
VL-ID:
=
35
Introduction:
=
The Barracuda SSL VPN is an integrated hardware and software solution
Title:
==
WebTitan Appliance v3.50.x - Multiple Web Vulnerabilities
Date:
=
2012-01-13
References:
===
http://www.vulnerability-lab.com/get_content.php?id=89
VL-ID:
=
89
Introduction:
=
WebTitan is a complete internet monitoring software (web filter) which
hi, just for a nice sunday afternoon video, if nota already known see:
http://www.phpclasses.org/blog/post/171-PHP-Vulnerability-May-Halt-Millions-of-Servers.html
did somone expericence the inpacts described for this vulunerability ? are
you all on 64bit
greetz
--
Disclaimer: This
I might be missing something, but if exploitation of this vulnerability
requires the ability to instantiate the activeX control and calling a
method, how is this a vulnerability?
If the user allows arbitrary activeX controls to instantiate and allows
scripting access, one could simply
I would say that we need both types: the skiddies and the others.
If you give to the skiddies enough fun at work they won't do something beyond
the scope.
But their scope should be: I have a site/system(of course, the test one, not
the production one!) break it!
They do it without being evil,
Please help us enhance online privacy by participating in
our anonymous survey at http://fheo.esat.kuleuven.be/survey
We are currently working on a privacy-related browser extension,
and want to make it more usable. For this, we need your help. It
would be much appreciated if you could do the
Thus the sad state of security continues. While the experts and those with good
intent continue to debate the line between legal and illegal, responsible and
reckless, the malicious hackers continue to profit from the ignorance of
average users and the sites they trust.
Sent from my
Hello,
First issue of PenTest Extra in 2012 is released.
This issue covers following articles:
* XSS CSRF: Practical exploitation of post-authentication
vulnerabilities in web applications by Marsel Nizamutdinov
* Discovering Modern CSRF Patch Failures by Tyler Borland
* Business
On Sun, Jan 15, 2012 at 2:43 PM, Leutnant Steiner chk.mail...@gmail.comwrote:
hi, just for a nice sunday afternoon video, if nota already known see:
http://www.phpclasses.org/blog/post/171-PHP-Vulnerability-May-Halt-Millions-of-Servers.html
did somone expericence the inpacts described for
Most of the problems start already at education. There is not enough focus
during school time what security beholds and what consequences are of bad
design, bad programming, bad architecture and bad security principles. I know
schoolbooks that even don't mention security at all or is explained
On Mon, Jan 16, 2012 at 4:33 AM, Emanuel Rietveld codehot...@gmail.com wrote:
I might be missing something, but if exploitation of this vulnerability
requires the ability to instantiate the activeX control and calling a
method, how is this a vulnerability?
If the user allows arbitrary activeX
On Tue, 17 Jan 2012 14:09:13 +0100, Martijn Broos said:
If programmers are aware of security consequences, they would fix them in the
first place or try to avoid them.
Unfortunately, there's this problem called already announced ship date.
Go take a look at Skyrim - they announced 11/11/11
Hello List,
So far it has been very interesting discussion, but nevertheless nobody went to
the Source, which is the Law, and used US Codes (or any others) as reference in
the consideration of cases and examples. To the best of my judgment does not
help too much and we are getting the result
On Tue, 17 Jan 2012 11:08:02 EST, Mikhail A. Utin said:
So far it has been very interesting discussion, but nevertheless nobody went
to the Source, which is the Law,
18 USC 1030 is the governing Federal statute in the US. In addition, many of
the
states have their own legislation.
On Tue, 17 Jan 2012 12:28:11 -0500
valdis.kletni...@vt.edu wrote:
Basically, you use a flaw to extract secret info from a protected
computer, and you aren't an authorized pen tester with a signed get
out of jail free card from the owner of the computer, you just
bought yourself a felony rap.
On Tue, 17 Jan 2012 14:13:00 EST, Benjamin Kreuter said:
Looking at that law, I am not even sure that you need to use a flaw to
extract secret info. It looks like something as simple as transmitting
a message to each user that dictates what they are authorized to do is
enough to trigger the
On Tue, Jan 17, 2012 at 11:23 AM, valdis.kletni...@vt.edu wrote:
Yes, people *have* been prosecuted for playing twiddle the URL games
before. I'd have to go dig up a cite, but it's happened (hacker was basically
abusing a site's predictable URL scheme).
Here is one relatively recent incident
Demonstration of the Exploit:
http://www.youtube.com/watch?v=78nAxh70yZE (thanks ClsHack)
see attached content
/Kingcope
/*
** linux-undeadattack.c
** Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36)
** CVE-2012-0207
** credits to Ben Hutchings:
**
LAN-only, no?
Sent from my iPhone
On Jan 17, 2012, at 4:11 PM, HI-TECH .
isowarez.isowarez.isowa...@googlemail.com wrote:
Demonstration of the Exploit:
http://www.youtube.com/watch?v=78nAxh70yZE (thanks ClsHack)
see attached content
/Kingcope
undeadattack.c
On Tue, 17 Jan 2012 16:14:46 EST, Dan Kaminsky said:
LAN-only, no?
Depends. Your network security people ever read BCP38? :)
pgpxbRMaNseiP.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter:
Tested and vulnerable against:
* Linux kernels above or equal to 2.6.36 (local network)
Untested
* Your iPhone
* I heard of rumours that the bug is triggerable using unicast
addresses across the internet
Am 17. Januar 2012 22:14 schrieb Dan Kaminsky d...@doxpara.com:
LAN-only, no?
Sent from
On 18 January 2012 09:38, HI-TECH .
isowarez.isowarez.isowa...@googlemail.com wrote:
Tested and vulnerable against:
* Linux kernels above or equal to 2.6.36 (local network)
Untested
* Your iPhone
* I heard of rumours that the bug is triggerable using unicast
addresses across the internet
Dear Full Disclosers.
A couple of days ago, I discovered a bug in the Disqus Widget for
Blogger.com (I haven't heard anything from them yet, even though I've
provided them with a permanent solution that fixes the problematic code
entirely. See end of blog entry via the link.)
When a user adds
33 matches
Mail list logo
